This Statement sets out Outotec’s commitment to keeping the users of our web services information private, confidential and secure at all times and the information gathering and dissemination practices for www.outotec.com.

Data Controller

Consent

By using this website www.outotec.com (“Site”), you acknowledge and consent to the collection, processing and disclosure of personal data as described in this Statement. Outotec only collects, processes or discloses personal data necessary for the purposes stated in this Statement, and Outotec only retains personal data for as long as it is necessary to fulfill those purposes

Visitor identification

Outotec uses Cookies in order to recognize a returning visitor as a unique user. A cookie is an element of data that is sent to your browser and stored on your hard-drive, and not on this site (“Cookie”). Outotec uses Cookies to track your navigation at and usage of the Site to improve your Site experience. The cookies placed by the Outotec server or third party service providers are readable only by Outotec, and cookies cannot access, read or modify any other data on a computer. If you do not wish to receive cookies, or want to be notified when they are placed, you may set your web browser to do so. Kindly note, that in some countries we may be required by law to obtain your consent by asking you to opt-outfor receiving the cookies. Such consent is always voluntary and can be withdrawn at any time. Please note however that if you disable cookies or decide not to give your consent for us to use cookies, some useful sections of the Site may not work and you may not be able to use the Site in its full capacity. Outotec tracks aggregate statistics, such as Site users’ Internet protocol address and related location information, computer operating system, browser type and the address of any referring websites, and general information about this Site's traffic patterns and related site information.

Purposes of collection and processing of personal data

Outotec collects and processes personal data for the following purposes:

Marketing and selling of Outotec’s products and services

Providing the information inquired from Outotec

Collecting and handling feedback

Personalization of the Site content and user experience

In the course of your use of the Site, we automatically track certain information about you. This information is used internally in order to compile and distribute statistics and general market place information, in marketing and promotional efforts, to tailor our service to suit the needs of our users, and to help us improve our Site in general. This is essential to making our service the best it can be.

In addition, aggregate non-personal data is used for reporting Site performance.

Transfer of personal data

Outotec does not transfer your personal data to any third party without your consent, except when necessary for Outotec to be able to respond to your requests or answer your inquiries, or when otherwise allowed or required by applicable law.

Outotec may however use third party service providers in implementing its marketing campaigns or customer satisfaction surveys. For the purposes of the implementation of such marketing campaigns or surveys, Outotec may disclose personal data to third party service providers. Outotec transfers personal data solely to third party service providers that ensure the fulfilment of data protection related requirements.

Outotec does not resell or lease any collected personal data to other companies, advertisers or other third parties for their promotional purposes.

Outotec Oyj may transfer personal data outside of the EU or the EEA. Appropriate safeguards related to the transfer are implemented.

External Links and other parties

The Site contains links to other sites. Outotec is not responsible for the privacy practices or the content of such other sites.

If you disclose information to other parties, whilst using the Outotec web services, Outotec does not control their privacy policies or use of such information. We recommend that you ask such other parties about their privacy policies before disclosing personal information.

Your rights as a data subject

You, as a data subject, shall have a right of access to your personal data processed by Outotec.

In the event your personal data is inaccurate or incomplete, you have a right to request Outotec to rectify or erase such personal data.

Further, you shall always have the right, to object to the processing of your personal data for direct marketing purposes.

Kindly note that in order for Outotec to execute your requests you may be required to verify your identity.

Should you wish to receive information on the personal data processed by Outotec, or for any related inquiries or requests, please contact Outotec at data.protection@outotec.com. We will respond to you as soon as possible.

Data security

Outotec and its third-party service providers use industry-standard efforts to safeguard the confidentiality of your personal information such as firewalls and authentication protection as relevant.

Updates to this Statement

This Statement will be updated periodically to reflect changes in data protection related legislation, our technology or business process. Any amendments will be posted at the Site.

Contact us

1. What personal data is processed, and how?

Types of data. The categories of your data processed by Outotec are the following:

name

contact details

phone number

email address

professional title

The personal data has been obtained primarily from you as the data subject, or in some cases your employer.

Data controller. Outotec Oyj is the data controller of the supplier data register.

Purpose. Personal data is processed and used for the purpose of managing the supplier relationship in Outotec’s regular business. If the data is processed for another purpose, Outotec shall inform you of this other purpose as well.

The processing of personal data is deemed lawful as it is based on a contractual relationship between Outotec and the supplier (active suppliers) or Outotec’s legitimate interest (potential suppliers). The legitimate interest is supplier relationship management for legitimate commercial purposes, where personal data is collected and processed only for foreseeable purposes, and the collecting and processing of the data is not considered to cause harm or negative consequences to you as the data subject.

Transfer to third parties. Your personal data may be disclosed to the following recipients: to relevant Outotec customers and other Outotec suppliers when relevant for the business in question.

Transfer to outside EU/EEA. Personal data is transferred to and/or accessed from outside EU and/or EEA to any Outotec location by Outotec or its data processors. For Outotec locations, please see www.outotec.com/locations.

Storage. Personal data will be stored on the basis of the following criteria, whichever comes first:

as long as relevant for Outotec’s business; or

for non-active suppliers, for a period of ten years after the contract term is over.

2. What are your rights to your data?

For your personal data which is processed at Outotec, you have a right to:

obtain a confirmation that your personal data is processed;

request a copy of your personal data;

request that Outotec corrects inaccurate or incomplete personal data that concerns you; and

have your data erased from Outotec’s systems in some cases, e.g. when the purpose for which the data was collected no longer applies, or Outotec has no further legal ground to process your personal data.

You also have a right to object to processing of your data by Outotec at any time on grounds relating to your particular situation, e.g. when your data is processed based on legitimate interest.

If you consider that the processing of your personal data at Outotec infringes the applicable data protection laws, you have a right file a complaint to a supervisory authority. The data protection authority in Finland is the Data Protection Ombudsman (Tietosuojavaltuutettu).

Outotec will respond to your above requests without undue delay and within 30 days.

3. Contact us

If you have any questions or requests relating to processing of your personal data at Outotec, please contact:

1. What personal data is processed, and how?

Outotec processes your personal data within the inventor data register according to applicable laws, including the General Data Protection Regulation (2016/679; the "GDPR") and other applicable national data protection laws.

Data controller. Outotec Oyj is the data controller of the inventor data register.

Source of data. The personal data has been obtained from you as the inventor.

Purpose. Personal data is processed and used for the purpose of registering and managing Outotec’s intellectual property and intellectual property rights. If the data is processed for another purpose than for which it was collected, Outotec shall inform you of this other purpose as well.

The processing of personal data is deemed lawful as it is based on the employment relationship, or a contract between Outotec and your employer.

Transfer to third parties. Personal data (name, contact details) will be disclosed to patent agencies and local patent authorities for registering and managing Outotec’s intellectual property and intellectual property rights.

Storage. The personal data is stored on the basis of the following criteria:

bank account details: until the final payment of inventor’s reward or compensation, and for one year thereafter.

other personal data: during the validity of the patent, or validity of the trade secret, and for five years thereafter.

2. What are your rights to your data?

For your personal data which is processed at Outotec, you have a right to:

obtain a confirmation that your personal data is processed

request a copy of your personal data;

request that Outotec corrects inaccurate or incomplete personal data that concerns you; and

have your data erased from Outotec’s systems in some cases, e.g. when the purpose for which the data was collected no longer applies, or Outotec has no further legal ground to process your personal data.

You also have a right to object to processing of your data by Outotec at any time on grounds relating to your particular situation, e.g. when your data is processed based on legitimate interest.

If you consider that the processing of your personal data at Outotec infringes the applicable data protection laws, you have a right file a complaint to a supervisory authority. The data protection authority in Finland is the Data Protection Ombudsman (tietosuojavaltuutettu).

Outotec will respond to your above requests without undue delay and within 30 days.

3. Contact us

If you have any questions or requests relating to processing of your personal data at Outotec, please contact:

1. What personal data is processed, and how?

Outotec processes personal data within the customer data register according to applicable laws, including the EU General Data Protection Regulation (2016/679) and applicable national data protection laws.

Data controller. Outotec Oyj is the data controller of the customer data register.

Types of data. The categories of data processed by Outotec may be the following:

name

job title, job role

contact details

username for enabling digital service delivery

IP address and related location data is processed for those website users who fill in online forms at Outotec website www.outotec.com.

computer identification information (the machine name and machine code) for validating the license for HSC Sim software

passport data to support visa applications

Source. The personal data has been primarily obtained from you as the customer representative, and in some cases from your employer, or from public sources including social media. For Outotec webshop IP address, the machine name (computer identification) and machine code is automatically generated when the user activates the license.

Purpose. Personal data is processed and used for customer relationship management, including sales and marketing purposes, and delivering our solutions and services to customers. If the data is processed for any other purpose, Outotec shall inform the data subject of this other purpose also.

Legal basis. The processing of personal data is deemed lawful as it is based on the contractual relationship (in managing customer relationship, delivering of solutions and services), the consent of the data subject (for Outotec website users), or Outotec’s legitimate interest (in sales and marketing). Outotec’s legitimate interest is customer relationship management for legitimate commercial purposes, where personal data is collected and processed only for foreseeable purposes, and the collecting and processing of the data is not considered to cause harm or negative consequences to you as customer representative.

Outotec will inform the data subject if the provision of personal data is based on a statutory or contractual requirement, or is necessary for entering into a contract, and the possible consequences of not providing the personal data.

Transfer to third parties. Personal data may be disclosed to third parties as follows: - to marketing campaign and customer events related service providers - to customer feedback surveys related service providers, e.g. interviews, data analytics - to IT system related service providers, for e.g. design, implementation, test and use support.

Transfer to outside EU/EEA. Personal data is transferred to and/or accessed from outside EU and/or EEA to any Outotec location by Outotec or its data processors. For Outotec locations, please see www.outotec.com/locations.

usernames for enabling digital services delivery: 3 years after the contract term has expired

IP address and related location data: 5 years

computer identification information (the machine name and machine code) for validating the license for HSC Sim software: for the validity of the HSC Sim license

passport data to support visa applications: until the applied visa is granted to you

name and contact details: for the duration relevant for Outotec’s business in question.

2. What are your rights to your data?

For your personal data which is processed at Outotec, you have a right to:

obtain a confirmation that your personal data is processed;

request a copy of your personal data;

request that Outotec corrects inaccurate or incomplete personal data that concerns you; and

opt-out of receiving our marketing material. You can contact us any time or unsubscribe from our marketing through the link included in our marketing material;

withdraw your consent, when you have given your consent to processing your personal data. You can contact us any time for withdrawal; and

have your data erased from Outotec’s systems in some cases, e.g. when the purpose for which the data was collected no longer applies, or Outotec has no further legal ground to process your personal data.

You also have a right to object to processing of your data by Outotec at any time on grounds relating to your particular situation, e.g. for direct marketing purposes or when your data is processed based on legitimate interest.

If you consider that the processing of your personal data at Outotec infringes the applicable data protection laws, you have a right file a complaint to a supervisory authority. The data protection authority in Finland is the Data Protection Ombudsman (Tietosuojavaltuutettu).

Outotec will react to your above requests without undue delay and within 30 days.

3. Contacts

If you have any questions or requests relating to processing of your personal data at Outotec, please contact:

1. What personal data is processed, and how?

Outotec processes personal data within the external workforce data register according to applicable laws, including the EU General Data Protection Regulation (2016/679) and applicable national data protection laws.

Types of data. The categories of data processed by Outotec may include the following.

personal Details (e.g. Name, personal ID)

phone number and email address

Curriculum Vitae data if relevant for the work to performed

passport and work visa information

access control to premises, working time control, IT access control

ICT system log information

Registered data can vary individually or depending on the country, local legislation and individual circumstances.

Source of data. The personal data has been primarily obtained from you as an external workforce or in some cases from your employer.

Purpose. Personal data is processed for the purpose of the utilization of external workforce in Outotec business. If the data is processed for other purposes, Outotec shall inform the data subject of this other purpose also. The processing of personal data is deemed lawful as it is based on the contractual relationship. Outotec will inform the data subject if the provision of personal data is based on a statutory or contractual requirement, or is necessary for entering into a contract, and the possible consequences of not providing the personal data.

Transfer to third parties. Certain elements of your personal data may be disclosed to the following recipients:

Name, phone number and email address to service providers for business infrastructure and IT system related purposes.

Curriculum vitae information and passport copies to Outotec’s customers on request, e.g. when you are working at the customer site. -

personal details (e.g. name, personal ID): 10 years after the contract with Outotec has terminated

Phone number and email address: 10 years after the contract with Outotec has terminated

Curriculum Vitae data if relevant for the work to performed: 3 years after the contract with Outotec has terminated

Passport,work permit and work visa information: 5-10 after the contract with Outotec has terminated

Access control to premises and working time control

IT access control: 1-6 years

ICT-systems log information : 0-5 years

2. What are your rights to your data?

For your personal data which is processed at Outotec, you have a right to:

obtain a confirmation that your personal data is processed;

request a copy of your personal data;

request that Outotec corrects inaccurate or incomplete personal data that concerns you; and

have your data erased from Outotec’s systems in some cases, e.g. when the purpose for which the data was collected no longer applies, or Outotec has no further legal ground to process your personal data.

You also have a right to object to processing of your data by Outotec at any time on grounds relating to your particular situation, e.g. when your data is processed based on legitimate interest.

If you consider that the processing of your personal data at Outotec infringes the applicable data protection laws, you have a right file a complaint to a supervisory authority. The data protection authority in Finland is the Data Protection Ombudsman (tietosuojavaltuutettu).

Outotec will respond to your above requests without undue delay and within 30 days.

3. Contacts

If you have any questions or requests relating to processing of your personal data at Outotec, please contact:

1. What personal data is processed, and how?

Outotec processes personal data within the insider data register according to applicable laws, including the General Data Protection Regulation (2016/679; the "GDPR") and other applicable national data protection laws.

Data controller. Outotec Oyj is the data controller of the insider data register.

Types of data. The personal data processed by Outotec may include the following:

name, including maiden name

date of birth

personal ID

contact details, including work place address and home address

Purpose. Personal data is processed and used for maintaining a statutory insider register. If the data is processed for another purpose, Outotec shall inform you as an insider of the other purpose as well.

Legal basis. The processing of personal data is deemed lawful as it is based on Outotec’s compliance obligations.

Outotec will inform the data subject if the provision of personal data is based on a statutory or contractual requirement, or is necessary for entering into a contract, and in that case the possible consequences of not providing the personal data. Source of data. The personal data has been obtained from you as an insider or from the Finnish book-entry system maintained by Euroclear Finland (the central securities depository). The information in the book-entry system is confidential, unless consent has been provided or there is a legal basis for disclosing the information (According to Chapter 8, Section 1 of the Act on the Book-Entry System and Clearing Operations). Transfer to third parties. Personal data is disclosed to Euroclear Finland as the central depository which provides the insider register service to Outotec, and to relevant authorities when required by law.

Storage. Personal data will be stored for five years from the date of entry.

2. What are your rights to your data?

For your personal data which is processed at Outotec, you have a right to:

obtain a confirmation that your personal data is processed;

request a copy of your personal data;

request that Outotec corrects inaccurate or incomplete personal data that concerns you; and

have your data erased from Outotec’s and Euroclear Finland’s systems in some cases, e.g. when the purpose for which the data was collected no longer applies, or Outotec has no further legal ground to process your personal data. This right does not apply to the Finnish book-entry system.

You also have a right to object to processing of your data by Outotec at any time on grounds relating to your particular situation, e.g. for direct marketing purposes or when your data is processed based on legitimate interest. If you consider that the processing of your personal data at Outotec infringes the applicable data protection laws, you have a right file a complaint to a supervisory authority The data protection authority in Finland is the Data Protection Ombudsman (Tietosuojavaltuutettu).

Outotec will react to your above requests without undue delay and within 30 days.

1. What personal data is processed, and how?

Outotec processes personal data within the shareholder data register according to applicable laws, including the EU General Data Protection Regulation (2016/679) and applicable national data protection laws.

Data controller. Outotec Oyj is the data controller of the shareholder data register.

Types of data. The categories of data processed by Outotec are the following:

name of the shareholder (or name of the nominee registration custodian)

personal ID or other identifying code

contact data

payment data

tax data

number of Outotec Oyj shares held by you as a shareholder

the central securities depository participant who manages the book-entry account in which the shares are registered.

For the temporary inclusion in the shareholder register under the Finnish Limited Liability Companies Act Chapter 5, Section 6a, the following information is processed:

name

address

personal ID or other personal identifier

number of Outotec Oyj shares held by you as a shareholder

Purpose. Personal data is processed and used for maintaining a statutory shareholder register. If the data is processed for another purpose, Outotec shall inform the data subject of the other purpose as well.

Legal basis. The processing of personal data is deemed lawful as it is based on Outotec’s compliance obligations (the Finnish Limited Liability Companies Act, Chapter 3, Section 15). Outotec will inform the data subject if the provision of personal data is based on a statutory or contractual requirement, or is necessary for entering into a contract, and in that case the possible consequences of not providing the personal data.

Source of data. The personal data has been obtained you as a shareholder and from the Finnish book-entry system.

Transfer to third parties. Euroclear Finland Oy maintains the shareholder register as a service provider on behalf of Outotec. Information is transferred to Euroclear Finland Oy as far as needed for this purpose. Euroclear Finland Oy’s service providers (processors) Capgemini India Private Ltd and Tata Consultancy Services process data outside of the EU / ETA in India. The safeguards used in the transfer in accordance with the GDPR are the standard clauses adopted by the European Commission.

The shareholder register will be public in the Euroclear Finland office (the central securities depository), except for the following information: the identifying part of the personal identity code, payment details, taxation details, and details on which trading account the shares to be sold on behalf of the owner are registered. By paying the costs, anyone has the right to obtain a copy of the list of owners or part thereof, to the extent that public access to the information is not limited by the Finnish Limited Liability Companies Act.

In addition, Outotec publishes a list of 50 largest shareholders on its website https://www.outotec.com/company/investors/shareholders/, which includes the following information of the largest shareholders: name, number of shares, %-age of shares, change in ownership (as number of shares and %-age) and the market value.

The temporary shareholder register dated on the record date of the Annual General Meeting is public according to the above principles, during the day of the Annual General Meeting and for three working days after the meeting.

Storage time. Personal data is stored for the following time period:

The shareholder register: stored as long as you hold Outotec Oyj shares. After a change in ownership the shareholder register is updated with the new shareholder information.

2. What are your rights to your data?

For your personal data which is processed at Outotec, you have a right to:

obtain a confirmation that your personal data is processed;

request a copy of your personal data;

request that Outotec corrects inaccurate or incomplete personal data that concerns you; and

have your data erased from Outotec’s systems in some cases, e.g. when the purpose for which the data was collected no longer applies, or Outotec has no further legal ground to process your personal data.

You also have a right to object to processing of your data by Outotec at any time on grounds relating to your particular situation, e.g. for direct marketing purposes or when your data is processed based on legitimate interest.

If you consider that the processing of your personal data at Outotec infringes the applicable data protection laws, you have a right file a complaint to a supervisory authority The data protection authority in Finland is the Data Protection Ombudsman (Tietosuojavaltuutettu).

Outotec will react to your above requests without undue delay and within 30 days.

Outotec processes personal data within the job applicant data register according to applicable laws, including the EU General Data Protection Regulation (2016/679) and applicable national data protection laws.

Data controller. Outotec Oyj together with its group companies are the joint data controllers of the job applicant data register.

Types of data. The categories of data processed by Outotec may include the following.

personal details (name)

contact details (home address, phone number, email address)

curriculum vitae information (e.g. education, competencies and work experience and other related data that you choose to provide as job applicant)

pictures and video material submitted with the application

assessments conducted during the recruitment

general medical checks for suitability for the work

background checks if required by specific job and notified to you as applicant in advance

race, if statutory legal requirement.

Registered data can vary individually depending on the country, local legislation and individual circumstances.

Source of data. The personal data may be obtained from you as an applicant, relevant authorities, companies providing assessment services and occupational health care providers.

Purpose. Personal data is processed for the purpose of the recruitment. If the data is processed for other purposes, Outotec will also inform you of the other purpose. The processing of personal data is deemed lawful as it is based on the consent of the data subject. Outotec will inform you if the provision of personal data is based on a statutory or contractual requirement, or is for entering into a contract, and the possible consequences of not providing the personal data.

Transfer to third parties. Certain elements of personal data may be disclosed to government officials, companies providing assessment services, occupational health care providers and if background checks are required, to relevant service providers.

Transfer outside EU/EEA. Personal data may be transferred to and/or accessed from outside EU and/or EEA to any Outotec location by Outotec or its data processors. For Outotec locations, please see www.outotec.com/locations. The safeguards used in the transfer are the standard data protection clauses adopted by the European Commission. For further information, please see European Commission website .

Storage. Job applicant data is stored for a period of 12 months after the most recent applicant profile update.

2. What are your rights to your data?

For your personal data which is processed at Outotec, you have a right to:

request a copy of your personal data;

request that Outotec corrects inaccurate or incomplete personal data that concerns you; and

withdraw your consent, when you have given your consent to processing your personal data. You can contact us any time for withdrawal; and

have your data erased from Outotec’s systems in some cases, e.g. when the purpose for which the data was collected no longer applies, or Outotec has no further legal ground to process your personal data.

You also have a right to object to processing of your data by Outotec at any time, on grounds relating to your particular situation, e.g. when your data is processed based on legitimate interest.

If you consider that the processing of your personal data at Outotec infringes the applicable data protection laws, you have a right file a complaint to a supervisory authority. The data protection authority in Finland is the Data Protection Ombudsman (tietosuojavaltuutettu).

Outotec will respond to your above requests without undue delay and within 30 days.

3. Contact us

If you have any questions or requests relating to processing of your personal data at Outotec, please contact:

Joint controller arrangement between Outotec Oyj and its subsidiaries:

Job applicant data register

1. Joint controller arrangement

Outotec Oyj together with its subsidiaries (separately the “Party”, together the “Parties”) are joint controllers in accordance with Article 26 in the General Data Protection Regulation 2016/679 (“GDPR”) regarding Outotec job applicant personal data register and its data.

The data processed in the job applicant register may include:

personal details (name)

contact details (home address, phone number, email address)

curriculum vitae information (e.g. education, competencies and work experience and other related data that you choose to provide as job applicant)

pictures and video material submitted with the application

assessments conducted during the recruitment

general medical checks for suitability for the work

background checks if required by specific job and notified to you as applicant in advance

2. Processing of personal data

Each Party shall have responsibilities of the data controller in accordance with the GDPR. Each Party is determined to fulfill their compliance responsibilities especially towards the data subjects. The Parties ensure that their personnel is trained regarding data protection matters and that data privacy measures are in place.

Each Party is familiar with and respect the Outotec Data protection policy, instructions and related documentation at Outotec.

Collection of data. Each company collects the data regarding the job applicants applying open vacancies in the respective company. The data is collected from job applicants and from service providers conducting assessments during the recruitment process.

Processing, retention and transfer of data. The personal data is stored by Outotec Oyj and its subsidiaries. All Parties are responsible for the maintenance of appropriate security measures for the personal data, and for ensuring that the jointly processed personal data is handled in accordance with the GDPR and other relevant legislation. The personal data shall be maintained for 12 months after the last profile update, after which it will be destroyed.

Deletion of data. Each Party is responsible for the deletion of the personal data after the storage time for the data has ended.

3. Responsibilities

Outotec Oyj is responsible to respond to data subjects’ requests regarding the job applicant register, and for informing the data subjects on the personal data collected. Outotec Oyj is also responsible to communicate with data protection authorities. All Parties are responsible to ensure the mutual transparent communication in all matters regarding the register.

4. Securing data subjects’ rights

Data subjects are informed of the collection and processing of their personal data when the data is collected for the first time.

5. Contact details

The Outotec contact person for the register is Data Protection Officer Kimmo Ahonen (email: data.protection@outotec.com), for all requests and questions regarding the register.

However, the data subject may contact each Party regarding the fulfilment of the data subject’s rights.

6. Allocation of responsibility

The data subject may use his/her rights under the GDPR in relation and against to each of the data controllers. The Parties have a joint responsibility to fulfill the data controller’s responsibilities stated in the GDPR.